The odds are pretty good you’ve lost a cellphone at some point in your life, or will in the future. In the U.S., 113 cellphones are lost or stolen every minute, and on average, an individual misplaces their phone about once a year, according to a report by mobile security firm Lookout.
Overall, more than $7 million worth of smartphones are lost daily. But for some, the cost of replacing a phone can pale in comparison to the financial risk, should your phone find its way into the hands of a hacker.
For years, security concerns prevented people from entrusting financial data or conducting transactions on their mobile devices. Now the tide has turned. A Federal Reserve survey found that 51 percent of smartphone owners used mobile banking last year. The most common activities were to check account balances and recent transactions, as well as transfer money. Twenty-four percent of smartphone users made mobile payments, according to the Fed report. Mobile commerce increased by 63 percent in 2013 alone, according to the research firm Gartner.
Every single one of these activities requires the user to enter, send and/or store financial data on their phone, which means more is at stake if the phone is lost or stolen.
“Smartphone devices have security risks in general,” says Kevin Du, a professor specializing in smartphone security at Syracuse University. “When that device connects with a financial institution, the risks become more severe, particularly when you consider how commonly people lose their phones. I don’t do my online banking on my phone because I am very worried about these things.”
Risks and dangers
Most people’s smartphones hold a wealth of information about the user. This data is remarkably easy to access, should a phone fall into the wrong hands. The simplest way to protect it is with a device password, but 62 percent of smartphone owners don’t password-protect their devices, and 32 percent have auto sign-in for banking and financial websites. In these cases, losing a phone is tantamount to handing control of your bank account to an absolute stranger.
“If you don’t put a PIN on your phone, if you don’t encrypt anything and you have done all the pre-login stuff for banking apps, it is the equivalent of leaving your front door open and your checkbook on the hall table,” says Anuj Nayar, PayPal’s senior director of global initiatives.
Once someone has access to your “checkbook,” there are a number of ways he or she could wreak financial havoc. They could transfer money out of your bank accounts, lock you out of your account or cancel it, change the billing address on an account, buy merchandise and charge it to your accounts and sell your information to a third party, to name a few.
But using and remembering hordes of usernames and passwords is a challenge, which leads people to adopt insecure methods for tracking them all. Lori Atwood, a financial consultant in Washington, D.C., says this is one of the most common security mistakes she sees her clients make.
“The biggest danger I see is with passwords, account numbers and usernames,” Atwood says. “Clients often use a password manager app to keep all that information safe, but this raises the risk of hacking or theft.”
Even a strong, secret password is no guarantee that your data will stay safe, says Kai Pfiester, an IT security consultant at Black Cipher Security
“If the attacker is really sophisticated and tech-savvy, he may be able to find cached data, manipulate it and subsequently access accounts on your phone,” Pfiester says.
Even if a thief can’t access your bank account, they could use other information on your phone to perpetrate identity theft and fraud. Atwood advises her clients to use mobile banking and expense-tracking apps because they help them stay within their budget. However, these apps contain sensitive information about spending habits, which thieves can use to avoid raising red flags with a bank or credit card company.
“Someone who wants to get into your account will find a way if they have access to your transactions,” Atwood says. “It shouldn’t prohibit you from using reputable apps to keep track of your spending and accounts. Just be smart and know how to access them online; know what to do if you suspect you’ve been hacked. There are many apps that do not require access to your bank accounts to help you monitor your spending.”
How to protect yourself
The first, most obvious security measure to take is setting a password lock on your phone. The second is to disable auto sign-in for banking and other financial apps. These actions may seem inconvenient, but they significantly reduce a thief’s opportunity to cause harm. Also don’t forget to completely log out when you’re done.
People can also make themselves less vulnerable by setting different passwords for each app or service. Passwords should avoid common words, consist of a mix of numbers, letters and non-alphanumeric characters, and change frequently.
Smartphone owners should also sign up for a program that tracks lost or stolen devices, particularly those offering a “kill switch” that enables you to remotely lock and wipe your phone. Find My iPhone, Lost for Android and Lookout Mobile all provide good options.
Pfiester says that another one of the most common security mistakes he sees people make is not activating the encryption features available on their phone.
“The best way to minimize the dangers posed by mobile devices is to limit the amount of sensitive data that is put on it in the first place,” Pfiester says. “What is not there cannot be hacked or stolen. If sensitive data must be put on the device, implementing full disk encryption should be the first step. Both Android and iPhone have this feature available.”
Sometimes it may seem like you are taking proactive security steps, but the reality is different. Du of Syracuse gave the example of two-factor authentication.
“People think using two-factor authentication makes an app secure, but sometimes they forget that if you do not use it correctly, you can have a problem,” he says. “If the second factor is sending a text message with a code and the issue is that your phone is lost, then whoever has the phone has access to the text as well. So it’s really one factor because whoever has the phone can do both.”
Ultimately, protecting yourself from the financial dangers of a lost smartphone comes down to knowing the risks and making the extra effort to minimize them.
“As long as people do some common-sense things to maintain security, mobile banking or shopping is no more insecure than doing those things in any other way,” Nayer says.
Losing your phone is an ordeal enough, without worrying that your identity will be stolen and your bank account drained. Make the extra effort. It’s worth it.